Warning: Permanently added '10.128.0.82' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 34.053708] audit: type=1400 audit(1600757858.237:8): avc: denied { execmem } for pid=6344 comm="syz-executor101" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 34.066644] ================================================================== [ 34.081068] BUG: KASAN: slab-out-of-bounds in squashfs_get_id+0x181/0x1a0 [ 34.087999] Read of size 8 at addr ffff88809fbd46b8 by task syz-executor101/6344 [ 34.095523] [ 34.097147] CPU: 1 PID: 6344 Comm: syz-executor101 Not tainted 4.14.198-syzkaller #0 [ 34.105019] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.114347] Call Trace: [ 34.116946] dump_stack+0x1b2/0x283 [ 34.120554] print_address_description.cold+0x54/0x1d3 [ 34.125806] kasan_report_error.cold+0x8a/0x194 [ 34.130452] ? squashfs_get_id+0x181/0x1a0 [ 34.134659] __asan_report_load8_noabort+0x68/0x70 [ 34.139564] ? squashfs_get_id+0x181/0x1a0 [ 34.143786] squashfs_get_id+0x181/0x1a0 [ 34.147824] ? squashfs_read_fragment_index_table+0xc0/0xc0 [ 34.153512] ? squashfs_read_metadata+0x2a6/0x370 [ 34.158356] squashfs_read_inode+0x1a2/0x1840 [ 34.163272] ? squashfs_read_id_index_table+0xc0/0xc0 [ 34.168450] ? new_inode+0xc7/0xf0 [ 34.171985] ? lock_acquire+0x170/0x3f0 [ 34.175935] ? do_raw_spin_unlock+0x164/0x220 [ 34.180463] squashfs_fill_super+0x1138/0x1640 [ 34.185027] mount_bdev+0x2b3/0x360 [ 34.188640] ? squashfs_alloc_inode+0x40/0x40 [ 34.193117] mount_fs+0x92/0x2a0 [ 34.197419] vfs_kern_mount.part.0+0x5b/0x470 [ 34.201905] do_mount+0xe53/0x2a00 [ 34.205427] ? copy_mount_string+0x40/0x40 [ 34.209651] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 34.214641] ? copy_mnt_ns+0xa30/0xa30 [ 34.218511] ? copy_mount_options+0x1fa/0x2f0 [ 34.222979] ? copy_mnt_ns+0xa30/0xa30 [ 34.226841] SyS_mount+0xa8/0x120 [ 34.230275] ? copy_mnt_ns+0xa30/0xa30 [ 34.234137] do_syscall_64+0x1d5/0x640 [ 34.239142] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.244317] RIP: 0033:0x446d2a [ 34.247492] RSP: 002b:00007ffcd9ed2558 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 34.255174] RAX: ffffffffffffffda RBX: 00007ffcd9ed25b0 RCX: 0000000000446d2a [ 34.262855] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffcd9ed2570 [ 34.270899] RBP: 00007ffcd9ed2570 R08: 00007ffcd9ed25b0 R09: 00007ffc00000015 [ 34.278156] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 34.286321] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 34.293593] [ 34.295197] Allocated by task 6344: [ 34.298813] kasan_kmalloc+0xeb/0x160 [ 34.302589] __kmalloc+0x15a/0x400 [ 34.306120] squashfs_read_data+0x153/0x1140 [ 34.310502] squashfs_read_table+0x11c/0x18d [ 34.314886] squashfs_read_xattr_id_table+0x16d/0x1c0 [ 34.320048] squashfs_fill_super+0xcba/0x1640 [ 34.324516] mount_bdev+0x2b3/0x360 [ 34.328119] mount_fs+0x92/0x2a0 [ 34.331458] vfs_kern_mount.part.0+0x5b/0x470 [ 34.335925] do_mount+0xe53/0x2a00 [ 34.339441] SyS_mount+0xa8/0x120 [ 34.342869] do_syscall_64+0x1d5/0x640 [ 34.346741] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.351911] [ 34.353509] Freed by task 6344: [ 34.356774] kasan_slab_free+0xc3/0x1a0 [ 34.360734] kfree+0xc9/0x250 [ 34.363836] squashfs_read_data+0x931/0x1140 [ 34.368244] squashfs_read_table+0x11c/0x18d [ 34.372640] squashfs_read_xattr_id_table+0x16d/0x1c0 [ 34.377820] squashfs_fill_super+0xcba/0x1640 [ 34.382303] mount_bdev+0x2b3/0x360 [ 34.385904] mount_fs+0x92/0x2a0 [ 34.389245] vfs_kern_mount.part.0+0x5b/0x470 [ 34.393713] do_mount+0xe53/0x2a00 [ 34.397236] SyS_mount+0xa8/0x120 [ 34.400671] do_syscall_64+0x1d5/0x640 [ 34.404541] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.409702] [ 34.411316] The buggy address belongs to the object at ffff88809fbd4680 [ 34.411316] which belongs to the cache kmalloc-32 of size 32 [ 34.424222] The buggy address is located 24 bytes to the right of [ 34.424222] 32-byte region [ffff88809fbd4680, ffff88809fbd46a0) [ 34.436431] The buggy address belongs to the page: [ 34.441348] page:ffffea00027ef500 count:1 mapcount:0 mapping:ffff88809fbd4000 index:0xffff88809fbd4fc1 [ 34.450777] flags: 0xfffe0000000100(slab) [ 34.454900] raw: 00fffe0000000100 ffff88809fbd4000 ffff88809fbd4fc1 0000000100000039 [ 34.462764] raw: ffffea0002841aa0 ffffea00027900a0 ffff88812fe501c0 0000000000000000 [ 34.470636] page dumped because: kasan: bad access detected [ 34.476331] [ 34.477933] Memory state around the buggy address: [ 34.482848] ffff88809fbd4580: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc [ 34.490245] ffff88809fbd4600: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 34.497604] >ffff88809fbd4680: fb fb fb fb fc fc fc fc 00 04 fc fc fc fc fc fc [ 34.504958] ^ [ 34.510128] ffff88809fbd4700: 00 04 fc fc fc fc fc fc 00 04 fc fc fc fc fc fc [ 34.517469] ffff88809fbd4780: 00 04 fc fc fc fc fc fc 00 04 fc fc fc fc fc fc [ 34.524806] ================================================================== [ 34.532143] Disabling lock debugging due to kernel taint [ 34.538226] Kernel panic - not syncing: panic_on_warn set ... [ 34.538226] [ 34.545857] CPU: 1 PID: 6344 Comm: syz-executor101 Tainted: G B 4.14.198-syzkaller #0 [ 34.554947] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.564296] Call Trace: [ 34.566879] dump_stack+0x1b2/0x283 [ 34.570500] panic+0x1f9/0x42d [ 34.573679] ? add_taint.cold+0x16/0x16 [ 34.577631] ? ___preempt_schedule+0x16/0x18 [ 34.582030] kasan_end_report+0x43/0x49 [ 34.585981] kasan_report_error.cold+0xa7/0x194 [ 34.590649] ? squashfs_get_id+0x181/0x1a0 [ 34.594864] __asan_report_load8_noabort+0x68/0x70 [ 34.599769] ? squashfs_get_id+0x181/0x1a0 [ 34.603976] squashfs_get_id+0x181/0x1a0 [ 34.608024] ? squashfs_read_fragment_index_table+0xc0/0xc0 [ 34.613734] ? squashfs_read_metadata+0x2a6/0x370 [ 34.619014] squashfs_read_inode+0x1a2/0x1840 [ 34.623494] ? squashfs_read_id_index_table+0xc0/0xc0 [ 34.628665] ? new_inode+0xc7/0xf0 [ 34.632182] ? lock_acquire+0x170/0x3f0 [ 34.636142] ? do_raw_spin_unlock+0x164/0x220 [ 34.640613] squashfs_fill_super+0x1138/0x1640 [ 34.645171] mount_bdev+0x2b3/0x360 [ 34.648794] ? squashfs_alloc_inode+0x40/0x40 [ 34.653261] mount_fs+0x92/0x2a0 [ 34.656623] vfs_kern_mount.part.0+0x5b/0x470 [ 34.661095] do_mount+0xe53/0x2a00 [ 34.664616] ? copy_mount_string+0x40/0x40 [ 34.668827] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 34.674789] ? copy_mnt_ns+0xa30/0xa30 [ 34.678651] ? copy_mount_options+0x1fa/0x2f0 [ 34.683117] ? copy_mnt_ns+0xa30/0xa30 [ 34.686993] SyS_mount+0xa8/0x120 [ 34.690417] ? copy_mnt_ns+0xa30/0xa30 [ 34.694279] do_syscall_64+0x1d5/0x640 [ 34.698140] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.703989] RIP: 0033:0x446d2a [ 34.707868] RSP: 002b:00007ffcd9ed2558 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 [ 34.715565] RAX: ffffffffffffffda RBX: 00007ffcd9ed25b0 RCX: 0000000000446d2a [ 34.722899] RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffcd9ed2570 [ 34.730144] RBP: 00007ffcd9ed2570 R08: 00007ffcd9ed25b0 R09: 00007ffc00000015 [ 34.737487] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 34.744759] R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 [ 34.753031] Kernel Offset: disabled [ 34.756655] Rebooting in 86400 seconds..